Face based biometric authentication systems operate by capturing images of a user's face at a point of authentication (e.g., at a time the user attempts to access a secured resource, such as a device or application) and analyzing the captured images against one or more enrolled facial templates in order to verify the identity of the user. Since these systems generally rely on comparing static facial features between the captured images and the facial templates, they are vulnerable to replay attacks. In such an attack, an imposter presents a still photograph or video of an enrolled user's face to a face based authenticator, with the hopes that the authenticator will mistake the photograph or video for the actual enrolled user. If the authenticator is not able to detect/verify the “liveness” of the presented face (i.e., determine whether the face belongs to a live individual or not), the authenticator may indeed be fooled and allow entry/access to the imposter.
One way to reduce the vulnerability of face based authentication systems to replay attacks is to combine face recognition with other modes of biometric authentication (e.g., voice recognition). This makes it more difficult for an imposter to spoof an enrolled user because the imposter must present two or more forms of biometric replay data in order to fool the authenticator (e.g., a photograph/video of the enrolled user's face for face recognition and a recording of the enrolled user's voice for voice recognition). However, with the prevalence of mobile devices such as smartphones, tablets, etc. having built-in displays and microphones, as well as the ease with which photographs and voice recordings can be captured and shared via social media, even combined face and voice based authentication systems are becoming increasingly vulnerable to replay attacks.
Accordingly, it would be desirable to have improved techniques for verifying the liveness of biometric data presented to a face-based authentication system (whether the system relies solely on face recognition or multiple recognition modalities). With such techniques, the authentication system may quickly identify data that is not deemed to be from a live subject as corresponding to a replay attack.